Description
In MmsSmsProvider of MmsSmsProvider.java, there is a possible way to retrieve sensitive information due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-17
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing permission check in Android's MmsSmsProvider.java allows applications to read sensitive MMS and SMS data without having the proper authorization. The flaw enables local disclosure of private information, as no additional privileges or user interaction are required. It is identified as CWE‑862, an authorization failure that directly leaks confidential data.

Affected Systems

All Android devices that include the MmsSmsProvider component are potentially affected, as outlined in the Android 17 security bulletin referenced by Google. Devices running builds of Android that have not received the latest security update may expose users to this vulnerability.

Risk and Exploitability

The CVSS score of 10 reflects the maximum severity for a local privilege issue that causes data exposure. The EPSS score of less than 1% indicates a very low probability of active exploitation at the present time, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires only that an application runs on the device; the missing permission check can be triggered by any app, making the risk appear local but broad across installations.

Generated by OpenCVE AI on June 18, 2026 at 14:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Android firmware update that contains the MmsSmsProvider patch.
  • Ensure that only applications with explicit READ_SMS or READ_MMS permissions can access the provider; disable or revoke permissions for apps that do not require SMS/MMS data.
  • Configure device policy or use a mobile device management solution to enforce strict access control, preventing unauthorized components from querying the provider.

Generated by OpenCVE AI on June 18, 2026 at 14:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Title Local Information Disclosure via Missing Permission Check in Android MmsSmsProvider

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Local Information Disclosure via Missing Permission Check in Android MmsSmsProvider

Wed, 17 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-862
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Vendors & Products Google
Google android

Wed, 17 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description In MmsSmsProvider of MmsSmsProvider.java, there is a possible way to retrieve sensitive information due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-06-17T10:40:46.047Z

Reserved: 2026-03-02T19:11:00.351Z

Link: CVE-2026-28587

cve-icon Vulnrichment

Updated: 2026-06-17T10:40:37.790Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T14:15:06Z

Weaknesses